d.从上面的信息可以看出,查看/proc/1264/fd/4就可以得到所要恢复的数据。如果可以通过文件描述符查看相应的数据,那么就可以使用I/O重定向将其重定向到文件中,如:
| [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="8bf9e4e4ffcbe3e7e6e8eee5bdb2e5b8">[email protected]</a> ~]# cat /proc/1264/fd/4 > /var/log/secure |
e.再次查看/var/log/secure,发现该文件已经存在。对于许多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。
| [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="63110c0c17230b0f0e00060d555a0d50">[email protected]</a> ~]# ll /var/log/secure -rw-r--r--. 1 root root 3173904 Sep 20 17:24 /var/log/secure [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="ec9e838398ac8480818f8982dad582df">[email protected]</a> ~]# head /var/log/secure Sep 17 03:28:15 hlmcen69n3 sshd[13288]: reverse mapping checking getaddrinfo for 137-64-15-51.rev.cloud.scaleway.com [51.15.64.137] failed - POSSIBLE BREAK-IN ATTEMPT! Sep 17 03:28:15 hlmcen69n3 unix_chkpwd[13290]: password check failed for user (root) Sep 17 03:28:15 hlmcen69n3 sshd[13288]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.15.64.137 user=root Sep 17 03:28:17 hlmcen69n3 sshd[13288]: Failed password for root from 51.15.64.137 port 59498 ssh2 Sep 17 03:28:18 hlmcen69n3 sshd[13289]: Received disconnect from 51.15.64.137: 11: Bye Bye Sep 17 03:28:22 hlmcen69n3 sshd[13291]: reverse mapping checking getaddrinfo for 137-64-15-51.rev.cloud.scaleway.com [51.15.64.137] failed - POSSIBLE BREAK-IN ATTEMPT! Sep 17 03:28:22 hlmcen69n3 unix_chkpwd[13293]: password check failed for user (root) Sep 17 03:28:22 hlmcen69n3 sshd[13291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.15.64.137 user=root Sep 17 03:28:24 hlmcen69n3 sshd[13291]: Failed password for root from 51.15.64.137 port 37722 ssh2 Sep 17 03:28:25 hlmcen69n3 sshd[13292]: Received disconnect from 51.15.64.137: 11: Bye Bye |
